b'                                                      UNITED STATES\n                                 SECURITIES AND EXCHANGE COMMISSION\n                                               WASHINGTON, D.C.         20549\n\n\n    OFFICE OF\nINSPECTOR GENERAL                                   MEMORANDUM\n\n                                                      March 1,2010\n\n          TO:            Carlo V. di Florio, Director, Office of Compliance Inspections and\n                              Examinations\n                         Charles L. Boucher, Director and Chief Information Officer, Office of\n                              Information Technology\n\n          FROM:          H. David Kotz, Inspector General, Office of Inspector Genera/1/)j(\'\n\n          COPY:          Kayla Gillan, Deputy Chief of Staff, Office of the Chairman\n                         John Walsh, Associate Director/Chief Counsel, Office of Chief\n                              Counsel, Office of Compliance Inspections and Examinations\n\n          SUBJECT:           Management Alert - Data Security Vulnerabilities, Report No. 477\n\n\n          Three recent investigations undertaken by the Securities Exchange Commission\n          (SEC or Commission), Office of Inspector General (OIG) have raised concerns\n          about data security at the SEC. In 2008 and 2009, the OIG undertook two\n          investigations involving the unauthorized release of non-public records available\n          pn the Office of Compliance Inspections and Examinations (OCIE) intranet sites\n          and/or shared network drives. In a third investigation, the OIG learned that files\n          pertinent to our investigation had been deleted or removed from an OCIE shared\n          network drive and have not been recovered. Despite the DIG conducting\n          extensive e-mail review and witness interviews, the sources of the release of\n          non-public information and file removal have not be identified because OCIE\'s\n          intranet sites and shared network drives do not employ auditing 1 systems.\n\n          The purpose of this Management Alert is to present our concerns to you in\n          writing. We ask that you respond within five business days of receipt of this letter\n          and identify the actions your offices have taken, or plan to take, to address two\n          significant areas of data security concern:\n\n                     1. Vulnerability of the OCIE intranets and\n                     2. Vulnerability of the OCIE shared network drives.\n\n          This review was not conducted in accordance with government auditing\n          standards.\n\n\n          1   Auditing as used in this Management Alert refers to blocking, tracking, or controlling data.\n\n          Data Security Vulnerabilities                       1                                  March 18,2010\n          Report NO.477\n\x0cBACKGROUND\n\nSummary\n\nThe SEC does not have in place an auditing system for OCIE intranet sites or its\nshared network drives. OCIE\xe2\x80\x99s intranet sites and shared network drives store\nextensive non-public information, including inspection and examination reports,\ndeficiency letters, and other documents containing confidential registrant\ninformation. Approximately 2,000 employees have access to OCIE\xe2\x80\x99s intranet\nsites or shared network drives. However, use of the OCIE intranet sites and\nshared network drives is not audited, which allows users to view, print, copy,\ndownload, move, edit, or delete documents and files without detection. 2\n\n1.      The OCIE Intranet Sites\n\nThe OCIE intranet sites are internal Commission websites designed to allow for\ndata sharing and to provide historical reference and training materials for\ninspections and examinations. OCIE has a central intranet site, an intranet site\ncontaining training materials, and additional intranet sites for certain sub-groups\nwithin OCIE. The OCIE intranet sites contain confidential non-public information,\nsuch as inspection and examination reports, communications with registrants,\ndeficiency letters, and policies and procedures for examination staff. Many of\nthese documents are also stored on OCIE\xe2\x80\x99s shared network drives.\n\nAccording to information provided by OCIE\xe2\x80\x99s information technology staff and\nOCIE\xe2\x80\x99s Office of Chief Counsel, the OCIE intranet sites pose a serious security\nthreat as they are accessible to nearly 2,000 Commission employees, including\nover 1,000 OCIE employees and over 1,300 Division of Enforcement staff. 3\nAccording to OCIE\xe2\x80\x99s information technology staff, the OCIE intranet sites are\nvulnerable to having information, such as registrant data, misappropriated by\nOCIE intranet site users. 4\n\nDespite that many OCIE intranet site users do not have full access rights to the\nsites, limited access is sufficient to pose a serious data security risk. Many OCIE\nintranet site users have \xe2\x80\x9cread-only\xe2\x80\x9d access, meaning that they are unable to alter\nthe text of documents on the OCIE Intranet sites. However, read-only users are\nstill able to view, print, copy, and download information. Because use of the\nOCIE intranet sites is not audited, those with access to the OCIE intranet sites\n\n2\n  Controls over the OCIE intranets and shared network drives are interrelated because many of\nthe documents available on the shared network drives are also available on the intranet.\n3\n  The central OCIE intranet site containing registrant materials is accessible to approximately\n1,000 OCIE staff, 16 executive staff, 124 Division of Investment Management staff, and 17\nDivision of Trading and Markets staff. The OCIE intranet site containing non-public OCIE training\nmaterials is available to OCIE staff and approximately 1,325 Division of Enforcement staff.\n4\n  OCIE information technology staff stated that they are aware of at least one data theft.\nData Security Vulnerabilities                     2                                   March 1, 2010\nReport No. 477\n\x0care able to take data and other information from the OCIE intranet sites without\ndetection.\n\n2. OCIE Shared Network Drives\n\nShared network drives 5 are depositories for shared projects for each office or\ndivision. According to OCIE\xe2\x80\x99s Office of Chief Counsel, the shared network drives\npromote knowledge and information sharing by allowing open access to\nemployees with rights to a particular drive. The OCIE shared network drives hold\ndocuments containing highly confidential information, including examination and\ninspection reports, electronic productions from registrants, correspondence, work\npapers, registration materials, spreadsheets, and work product. Each regional\noffice has its own shared network drive. Most users can view, print, copy,\ndownload, edit, move, and even delete files from the shared drives.\n\nCurrently the SEC does not audit who accesses the shared network drives or\nwho deletes or alters files contained therein. When items are deleted from\nshared network drives, they are sent to a recovery bin with limited storage\ncapacity. Once the bin\xe2\x80\x99s capacity is reached, the older files are purged. In\nOCIE, the purge occurs in less than      days. Once purged, those files often\ncannot be recovered. 6\n\nRecent Incidents\n\nThe following three recent OIG investigations have involved the removal or\ndeletion of documents from OCIE\xe2\x80\x99s shared network drives or the unauthorized\nrelease of confidential information that was stored on OCIE\xe2\x80\x99s intranet sites and/or\nshared network drives. The sources of these data security breaches have not\nbeen identified because OCIE\xe2\x80\x99s intranet sites and shared network drives do not\nemploy an auditing system.\n\n3.      Documents Deleted from an OCIE Shared Network Drive\n\nAs part of Case No. OIG-496, a staff accountant discovered in January 2009 that\nall of the files regarding a particular registrant were missing from an OCIE shared\nnetwork drive. The missing files included work product generated by OCIE staff,\nsuch as an examination report, interoffice memoranda, correspondence, and\nrelevant e-mail gathered during an 18-month examination.\n\nThe files were necessary for an OIG investigation involving serious allegations\nabout the registrant and the SEC\xe2\x80\x99s actions in response to those allegations. The\n\n5\n  The shared network drives are often referred to as the \xe2\x80\x9cJ: drive,\xe2\x80\x9d but within SEC Headquarters, \n\nthe shared network drives are comprised of the J:, K:, and L: drives. \n\n6\n  Forensic experts can be retained to attempt to recover the files, but it is very costly and may not \n\nbe successful.\n\nData Security Vulnerabilities                    3                                      March 1, 2010\nReport No. 477\n\x0cOffice of Information Technology was unable to determine who deleted the files\nor when the files were deleted.\n\n4. OCIE Examination Report Leaked to the Press\n\nAt the request of an SEC registrant,                                         , the\nOIG opened PI No. 09-62, a preliminary inquiry into the leak of confidential\ne-mail to the Wall Street Journal. The OIG found that the excerpts of the\nconfidential e-mail that had appeared in the Wall Street Journal in\nwere from e-mail provided to OCIE during a routine examination of        and had\nbeen included in an OCIE examination report of Bernard L. Madoff Investment\nSecurities LLC.\n\nThe OCIE examination report was stored on the OCIE intranet site and an OCIE\nshared network drive and had been circulated to a variety of officials within the\nCommission. The OIG reviewed the e-mail of report recipients, but has been\nunable to narrow down and locate the source of the leak because the OCIE\nintranet and shared network drives were unaudited.\n\n     was outraged by the public release of its internal e-mail communications.\nPersonnel from OCIE\xe2\x80\x99s Office of Chief Counsel have reported that         was less\ncooperative in a recent examination and used the leak of its confidential e-mail\nas a reason for not producing requested documents.\n\n5. Non-public Version of an SEC Report Leaked to the Press\n\nIn Case No. OIG-500, the OIG investigated the disclosure of a non-public version\nof an SEC report containing issues identified in the SEC staff\xe2\x80\x99s examination of\nselect nationally recognized statistical rating organizations (NRSROs). The SEC\nreport was harshly critical of the NRSROs. The public version of the SEC\xe2\x80\x99s\nreport contained the critical findings, but redacted the names of the NRSROs and\nquotations from confidential e-mail because the SEC staff had assured the\nparticipating NRSROs that their identities would be kept confidential. However,\nthe non-public version of the report that was leaked to the Wall Street Journal in\nAugust 2008 contained the names of the NRSROs examined, the identities of\ncertain individuals, and excerpts from confidential e-mail.\n\nThe non-public version of the report provided to the Wall Street Journal had been\nstored on an OCIE Shared Network Drive and was circulated to a small number\nof people. Despite reviewing over 130,000 emails and taking the testimony of 25\nSEC employees, the OIG was unable to identify the source of the leak because\ndrafts of the report were available on an OCIE shared network drive and could\nhave been accessed and printed by any OCIE employee without detection.\n\n\n\nData Security Vulnerabilities           4                             March 1, 2010\nReport No. 477\n\x0cThe OIG investigation found that the Wall Street Journal\xe2\x80\x99s publication of this\ninformation was disturbing to the firms and embarrassing to the SEC staff who\nhad assured the participating NRSROs of confidentiality.\n\nEffects\n\nThe failure to audit the use of the OCIE intranet and shared network drives has\nallowed the sources of the unauthorized release of confidential non-public\ninformation and the deletion/removal of OCIE files to remain undetected.\n\nLeaks, such as those discussed above, have negatively impacted the\nrelationship of the SEC with its registrants. Registrants regularly provide the\nSEC with confidential information, and the release of this information to the press\nmay cause registrants to be reluctant to cooperate in SEC examinations and\ninvestigations, for fear that their confidential information will become public.\nMoreover, failure to audit the use of OCIE\xe2\x80\x99s shared network drives and intranet\nsites poses a grave data security concern because it makes registrant data\nvulnerable to undetected theft. Hence, we believe that prompt action should be\ntaken to address these data security vulnerabilities.\n\n\n\n\nData Security Vulnerabilities            5                             March 1, 2010\nReport No. 477\n\x0c                                         Memorandum\n\nDate:        March 10, 2010\n\nTo:          David Kotz, Inspector General, OIG\n\nFrom         Charles Boucher, Chief Information Officer,   Ol~.k;~\nCC:          Carlo di Florio, Director, OCIE\n             Kayla Gillan, Deputy Chief of Staff, Office of the Chairman\n             John Walsh, Associate Director and Chief Counsel, OCIE\n             Diego Ruiz, Executive Director, OED\n\nSubject:     OIG Management Alert - Data Security Vulnerabilities, Report #477\n\n\n  This memo acknowledges receipt of the subject OIG Management Alert, dated March 1,\n2010. In summary, the OIG is requesting that the system feature of auditing access to files on\nthe shared drives and intranet for OCIE be turned on so that it may be easier to identify who\nhas used files for unauthorized purposes. There are a number of different options on how\nauditing could be implemented, and a substantial investment is likely to be required due to the\nadditional processing, storage, access tools, and staff resources to support such an activity. In\naddition, management needs to consider whether the benefits of auditing file access justify the.\ninvestment, and if so whether it should be implemented beyond OCIE, as well as if there are\nany business process changes which should be considered.\n\n  OIT has begun analysis on the technology aspects of the OIG\'s request and will work with\nthe businesses and agency management to decide a course of action.\n\x0c                                           MEMORANDUM\n\n\nTO:            David Kotz, Inspector General, Office of Inspector General ("OIG")\n\nFROM:          Carlo di Florio, Director, Office of Compliance Inspections and Examinations ("OCIE")\n               John Walsh, Associate Director - Chief Counsel, OCIE     -4vV p,.", ??-t!-\n               Greg Cobert, Assistant Director, Information Technology, OCIE\n               Steve Haupt, Branch Chief, Information Technology, OCIE\n               Kris Easter, Assistant Director, OCIE\n\nCC:            Charles Boucher, Chief Information Officer, Office of Information Technology ("OIT")\n\nRE:            Office of Compliance Inspections and Examinations\' Response to the Office ofInspector\n               General\'s Management Alert, Data Security Vulnerabilities, Report No. 477\n\nDATE:          March 11,2010\n\n\nOCIE agrees with the need to have in place an auditing system for OCIE intranet sites and OCIE\'s\nshared network drives. OCIE Technical Staff is currently working with OIT Staff to review the various\naudit solutions and to determine the impact of those solutions on OCIE\'s current business practices. It is\nexpected that it may take some time to evaluate, test and implement a solution and also determine if\nthere is an impact on OCIE\'s current business processes.\n\x0c'